Date: Fri, 23 May 2003 16:33:09 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: Ruslan Ermilov <ru@freebsd.org> Cc: Frank Bonnet <bonnetf@bart.esiee.fr> Subject: Re: 5.1 beta2 still in trouble with pam_ldap Message-ID: <xzpr86pwx5m.fsf@flood.ping.uio.no> In-Reply-To: <20030523062848.GG17107@sunbay.com> (Ruslan Ermilov's message of "Fri, 23 May 2003 09:28:48 %2B0300") References: <20030522184631.A23366@bart.esiee.fr> <xzp65o2zkhf.fsf@flood.ping.uio.no> <20030522224850.GK87863@roark.gnf.org> <xzpof1uy28n.fsf@flood.ping.uio.no> <20030523060846.GC17107@sunbay.com> <xzp4r3mxjrx.fsf@flood.ping.uio.no> <20030523062848.GG17107@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ruslan Ermilov <ru@freebsd.org> writes: > In a chain with mutiple "binding" modules, only the _last_ > failure gets ignored? Meaning, if some other module succeeds, > override the failure status, right? Failure of a "binding" module causes the entire chain to fail once it has completed. The error returned is that returned by the first non-"optional", non-"sufficient" module that failed. Failure of a "sufficient" module, on the other hand, is always ignored (so if no other non-"optional", non-"sufficient" module failed, the chain will succeed). This is what constantly surprises users, and what "binding" was introduced to alleviate. See the PAM article for details - particularly the following two sections: http://www.freebsd.org/doc/en/articles/pam/pam-essentials.html#PAM-CHAINS-POLICIES http://www.freebsd.org/doc/en/articles/pam/pam-config.html#PAM-POLICIES DES -- Dag-Erling Smorgrav - des@ofug.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpr86pwx5m.fsf>